Доброго времени суток!
Ни как не могу запустить L2TP сервер, конфигурация и логи ниже.
Подключаюсь с Win7 с адреса 2.2.2.2 на 5.5.5.5 через другого провайдера. Доходит до надписи "проверка пользователя и пароля" и через 3-4 секунды ошибка 691... Этот же роутер используется как NAT в инет.
Из ошибок в логе вижу что в начале семерка предлагает варианты и в конце они с циской сходятся на
*Apr 9 07:24:48.665: ISAKMP: (0):Checking ISAKMP transform 5 against priority 10 policy
*Apr 9 07:24:48.665: ISAKMP: (0): encryption 3DES-CBC
*Apr 9 07:24:48.665: ISAKMP: (0): hash SHA
*Apr 9 07:24:48.665: ISAKMP: (0): default group 2
*Apr 9 07:24:48.665: ISAKMP: (0): auth pre-share
*Apr 9 07:24:48.665: ISAKMP: (0): life type in seconds
Дальше по логам вроде всё не плохо до места
*Apr 9 07:24:48.737: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
Тут как я понимаю роутер не может найти у себя в каком то списке какой то индекс. Насколько это фатально я не в курсе... Вроде и иос не npe, и модуль загружен соответствующий...
Лог выводил при
deb cry isakmp
deb cry ipsec
Может не достаточно? Всегда плавал в алгоритмах шифрования :(
Или сейчас провайдеры режут такой трафик? Или пытаются вклиниться?
Помогите разобраться.Конфигурация
aaa new-model
!
aaa authentication ppp default local
aaa authorization network default local
!
aaa attribute list vpnuser
attribute type addr 192.168.2.200 service vpdn protocol ip
!
aaa session-id common
!
no ip domain lookup
ip domain name tdts
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
license boot module c900 technology-package securityk9
!
username vpnuser password 123
redundancy
!
crypto keyring keyring_l2tp
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
no crypto isakmp default policy
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 no-xauth
crypto isakmp aggressive-mode disable
crypto isakmp profile L2TP
keyring keyring_l2tp
match identity address 0.0.0.0
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
mode transport
!
crypto dynamic-map CRYPTO_MAP_REMOTE_USERS 10
set nat demux
set transform-set ESP-3DES-SHA ESP-AES-SHA
set isakmp-profile L2TP
reverse-route
!
crypto map CRYPTO_MAP 100 ipsec-isakmp dynamic CRYPTO_MAP_REMOTE_USERS
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
ip address 192.168.1.244 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet5
ip address 5.5.5.5 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
crypto map CRYPTO_MAP
!
interface Virtual-Template1
ip unnumbered GigabitEthernet4
peer default ip address pool l2tppool_for_clients
keepalive 5
ppp encrypt mppe auto
ppp authentication ms-chap ms-chap-v2
!
interface Vlan1
no ip address
!
ip local pool l2tppool_for_clients 192.168.2.200 192.168.2.210
ip default-gateway 5.5.5.6
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat pool natpool 5.5.5.5 5.5.5.5 prefix-length 24
ip nat inside source list 33 interface GigabitEthernet5 overload
ip route 0.0.0.0 0.0.0.0 5.5.5.6
ip ssh version 2
Логи
*Apr 9 07:24:48.663: ISAKMP-PAK: (0):received packet from 2.2.2.2 dport 500 sport 500 Global (N) NEW SA
*Apr 9 07:24:48.663: ISAKMP: (0):Created a peer struct for 2.2.2.2, peer port 500
*Apr 9 07:24:48.663: ISAKMP: (0):New peer created peer = 0x141FF2D8 peer_handle = 0x80000066
*Apr 9 07:24:48.663: ISAKMP: (0):Locking peer struct 0x141FF2D8, refcount 1 for crypto_isakmp_process_block
*Apr 9 07:24:48.663: ISAKMP: (0):local port 500, remote port 500
*Apr 9 07:24:48.663: ISAKMP: (0):insert sa successfully sa = FF838BC
*Apr 9 07:24:48.663: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 9 07:24:48.663: ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1
*Apr 9 07:24:48.663: ISAKMP: (0):processing SA payload. message ID = 0
*Apr 9 07:24:48.663: ISAKMP: (0):processing vendor id payload
*Apr 9 07:24:48.663: ISAKMP: (0):processing IKE frag vendor id payload
*Apr 9 07:24:48.663: ISAKMP: (0):Support for IKE Fragmentation not enabled
*Apr 9 07:24:48.663: ISAKMP: (0):processing vendor id payload
*Apr 9 07:24:48.663: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
*Apr 9 07:24:48.663: ISAKMP: (0):vendor ID is NAT-T RFC 3947
*Apr 9 07:24:48.663: ISAKMP: (0):processing vendor id payload
*Apr 9 07:24:48.663: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
*Apr 9 07:24:48.663: ISAKMP: (0):vendor ID is NAT-T v2
*Apr 9 07:24:48.663: ISAKMP: (0):processing vendor id payload
*Apr 9 07:24:48.663: ISAKMP: (0):vendor ID seems Unity/DPD but major 194 mismatch
*Apr 9 07:24:48.663: ISAKMP: (0):processing vendor id payload
*Apr 9 07:24:48.663: ISAKMP: (0):vendor ID seems Unity/DPD but major 241 mismatch
*Apr 9 07:24:48.663: ISAKMP: (0):processing vendor id payload
*Apr 9 07:24:48.663: ISAKMP: (0):vendor ID seems Unity/DPD but major 184 mismatch
*Apr 9 07:24:48.663: ISAKMP: (0):processing vendor id payload
*Apr 9 07:24:48.663: ISAKMP: (0):vendor ID seems Unity/DPD but major 134 mismatch
*Apr 9 07:24:48.665: ISAKMP: (0):found peer pre-shared key matching 2.2.2.2
*Apr 9 07:24:48.665: ISAKMP: (0):local preshared key found
*Apr 9 07:24:48.665: ISAKMP: (0):Scanning profiles for xauth ... L2TP
*Apr 9 07:24:48.665: ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policy
*Apr 9 07:24:48.665: ISAKMP: (0): encryption AES-CBC
*Apr 9 07:24:48.665: ISAKMP: (0): keylength of 256
*Apr 9 07:24:48.665: ISAKMP: (0): hash SHA
*Apr 9 07:24:48.665: ISAKMP: (0): default group 20
*Apr 9 07:24:48.665: ISAKMP: (0): auth pre-share
*Apr 9 07:24:48.665: ISAKMP: (0): life type in seconds
*Apr 9 07:24:48.665: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Apr 9 07:24:48.665: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
*Apr 9 07:24:48.665: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
*Apr 9 07:24:48.665: ISAKMP: (0):Checking ISAKMP transform 2 against priority 10 policy
*Apr 9 07:24:48.665: ISAKMP: (0): encryption AES-CBC
*Apr 9 07:24:48.665: ISAKMP: (0): keylength of 128
*Apr 9 07:24:48.665: ISAKMP: (0): hash SHA
*Apr 9 07:24:48.665: ISAKMP: (0): default group 19
*Apr 9 07:24:48.665: ISAKMP: (0): auth pre-share
*Apr 9 07:24:48.665: ISAKMP: (0): life type in seconds
*Apr 9 07:24:48.665: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Apr 9 07:24:48.665: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
*Apr 9 07:24:48.665: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
*Apr 9 07:24:48.665: ISAKMP: (0):Checking ISAKMP transform 3 against priority 10 policy
*Apr 9 07:24:48.665: ISAKMP: (0): encryption AES-CBC
*Apr 9 07:24:48.665: ISAKMP: (0): keylength of 256
*Apr 9 07:24:48.665: ISAKMP: (0): hash SHA
*Apr 9 07:24:48.665: ISAKMP: (0): default group 14
*Apr 9 07:24:48.665: ISAKMP: (0): auth pre-share
*Apr 9 07:24:48.665: ISAKMP: (0): life type in seconds
*Apr 9 07:24:48.665: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Apr 9 07:24:48.665: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
*Apr 9 07:24:48.665: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
*Apr 9 07:24:48.665: ISAKMP: (0):Checking ISAKMP transform 4 against priority 10 policy
*Apr 9 07:24:48.665: ISAKMP: (0): encryption 3DES-CBC
*Apr 9 07:24:48.665: ISAKMP: (0): hash SHA
*Apr 9 07:24:48.665: ISAKMP: (0): default group 14
*Apr 9 07:24:48.665: ISAKMP: (0): auth pre-share
*Apr 9 07:24:48.665: ISAKMP: (0): life type in seconds
*Apr 9 07:24:48.665: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Apr 9 07:24:48.665: ISAKMP-ERROR: (0):Diffie-Hellman group offered does not match policy!
*Apr 9 07:24:48.665: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
*Apr 9 07:24:48.665: ISAKMP: (0):Checking ISAKMP transform 5 against priority 10 policy
*Apr 9 07:24:48.665: ISAKMP: (0): encryption 3DES-CBC
*Apr 9 07:24:48.665: ISAKMP: (0): hash SHA
*Apr 9 07:24:48.665: ISAKMP: (0): default group 2
*Apr 9 07:24:48.665: ISAKMP: (0): auth pre-share
*Apr 9 07:24:48.665: ISAKMP: (0): life type in seconds
*Apr 9 07:24:48.665: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Apr 9 07:24:48.665: ISAKMP: (0):atts are acceptable. Next payload is 0
*Apr 9 07:24:48.665: ISAKMP: (0):Acceptable atts:actual life: 86400
*Apr 9 07:24:48.665: ISAKMP: (0):Acceptable atts:life: 0
*Apr 9 07:24:48.665: ISAKMP: (0):Fill atts in sa vpi_length:4
*Apr 9 07:24:48.665: ISAKMP: (0):Fill atts in sa life_in_seconds:28800
*Apr 9 07:24:48.665: ISAKMP: (0):Returning Actual lifetime: 28800
*Apr 9 07:24:48.665: ISAKMP: (0):Started lifetime timer: 28800.
*Apr 9 07:24:48.667: ISAKMP: (0):processing vendor id payload
*Apr 9 07:24:48.667: ISAKMP: (0):processing IKE frag vendor id payload
*Apr 9 07:24:48.667: ISAKMP: (0):Support for IKE Fragmentation not enabled
*Apr 9 07:24:48.667: ISAKMP: (0):processing vendor id payload
*Apr 9 07:24:48.667: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
*Apr 9 07:24:48.667: ISAKMP: (0):vendor ID is NAT-T RFC 3947
*Apr 9 07:24:48.667: ISAKMP: (0):processing vendor id payload
*Apr 9 07:24:48.667: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
*Apr 9 07:24:48.667: ISAKMP: (0):vendor ID is NAT-T v2
*Apr 9 07:24:48.667: ISAKMP: (0):processing vendor id payload
*Apr 9 07:24:48.667: ISAKMP: (0):vendor ID seems Unity/DPD but major 194 mismatch
*Apr 9 07:24:48.667: ISAKMP: (0):processing vendor id payload
*Apr 9 07:24:48.667: ISAKMP: (0):vendor ID seems Unity/DPD but major 241 mismatch
*Apr 9 07:24:48.667: ISAKMP: (0):processing vendor id payload
*Apr 9 07:24:48.667: ISAKMP: (0):vendor ID seems Unity/DPD but major 184 mismatch
*Apr 9 07:24:48.667: ISAKMP: (0):processing vendor id payload
*Apr 9 07:24:48.667: ISAKMP: (0):vendor ID seems Unity/DPD but major 134 mismatch
*Apr 9 07:24:48.667: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 9 07:24:48.667: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Apr 9 07:24:48.667: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
*Apr 9 07:24:48.667: ISAKMP-PAK: (0):sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Apr 9 07:24:48.667: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Apr 9 07:24:48.667: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 9 07:24:48.667: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Apr 9 07:24:48.691: ISAKMP-PAK: (0):received packet from 2.2.2.2 dport 500 sport 500 Global (R) MM_SA_SETUP
*Apr 9 07:24:48.691: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 9 07:24:48.691: ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Apr 9 07:24:48.691: ISAKMP: (0):processing KE payload. message ID = 0
*Apr 9 07:24:48.693: ISAKMP: (0):processing NONCE payload. message ID = 0
*Apr 9 07:24:48.693: ISAKMP: (0):found peer pre-shared key matching 2.2.2.2
*Apr 9 07:24:48.693: ISAKMP: (1090):received payload type 20
*Apr 9 07:24:48.693: ISAKMP: (1090):His hash no match - this node outside NAT
*Apr 9 07:24:48.693: ISAKMP: (1090):received payload type 20
*Apr 9 07:24:48.693: ISAKMP: (1090):His hash no match - this node outside NAT
*Apr 9 07:24:48.693: ISAKMP: (1090):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 9 07:24:48.693: ISAKMP: (1090):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Apr 9 07:24:48.693: ISAKMP-PAK: (1090):sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Apr 9 07:24:48.693: ISAKMP: (1090):Sending an IKE IPv4 Packet.
*Apr 9 07:24:48.693: ISAKMP: (1090):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 9 07:24:48.693: ISAKMP: (1090):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Apr 9 07:24:48.715: ISAKMP-PAK: (1090):received packet from 2.2.2.2 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
*Apr 9 07:24:48.715: ISAKMP: (1090):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 9 07:24:48.715: ISAKMP: (1090):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Apr 9 07:24:48.715: ISAKMP: (1090):processing ID payload. message ID = 0
*Apr 9 07:24:48.715: ISAKMP: (1090):ID payload
next-payload : 8
type : 1
*Apr 9 07:24:48.715: ISAKMP: (1090): address : 192.168.1.132
*Apr 9 07:24:48.715: ISAKMP: (1090): protocol : 0
port : 0
length : 12
*Apr 9 07:24:48.715: ISAKMP: (0):peer matches L2TP profile
*Apr 9 07:24:48.715: ISAKMP: (1090):Found ADDRESS key in keyring keyring_l2tp
*Apr 9 07:24:48.715: ISAKMP: (1090):processing HASH payload. message ID = 0
*Apr 9 07:24:48.715: ISAKMP: (1090):SA authentication status:
authenticated
*Apr 9 07:24:48.715: ISAKMP: (1090):SA has been authenticated with 2.2.2.2
*Apr 9 07:24:48.715: ISAKMP: (1090):Detected port floating to port = 4500
*Apr 9 07:24:48.715: ISAKMP: (0):Trying to insert a peer 5.5.5.5/2.2.2.2/4500/,
*Apr 9 07:24:48.715: ISAKMP: (0): and inserted successfully 141FF2D8.
*Apr 9 07:24:48.715: ISAKMP: (1090):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 9 07:24:48.715: ISAKMP: (1090):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Apr 9 07:24:48.715: ISAKMP: (1090):SA is doing
*Apr 9 07:24:48.715: ISAKMP: (1090):pre-shared key authentication using id type ID_IPV4_ADDR
*Apr 9 07:24:48.715: ISAKMP: (1090):ID payload
next-payload : 8
type : 1
*Apr 9 07:24:48.715: ISAKMP: (1090): address : 5.5.5.5
*Apr 9 07:24:48.715: ISAKMP: (1090): protocol : 17
port : 0
length : 12
*Apr 9 07:24:48.715: ISAKMP: (1090):Total payload length: 12
*Apr 9 07:24:48.715: ISAKMP-PAK: (1090):sending packet to 2.2.2.2 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
*Apr 9 07:24:48.715: ISAKMP: (1090):Sending an IKE IPv4 Packet.
*Apr 9 07:24:48.715: ISAKMP: (1090):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 9 07:24:48.715: ISAKMP: (1090):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Apr 9 07:24:48.715: ISAKMP: (1090):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Apr 9 07:24:48.715: ISAKMP: (1090):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Apr 9 07:24:48.737: ISAKMP-PAK: (1090):received packet from 2.2.2.2 dport 4500 sport 4500 Global (R) QM_IDLE
*Apr 9 07:24:48.737: ISAKMP: (1090):set new node 1 to QM_IDLE
*Apr 9 07:24:48.737: ISAKMP: (1090):processing HASH payload. message ID = 1
*Apr 9 07:24:48.737: ISAKMP: (1090):processing SA payload. message ID = 1
*Apr 9 07:24:48.737: ISAKMP: (1090):processing NAT-OAi payload. addr = 192.168.1.132, message ID = 1
*Apr 9 07:24:48.737: ISAKMP: (1090):processing NAT-OAr payload. addr = 5.5.5.5, message ID = 1
*Apr 9 07:24:48.737: ISAKMP: (1090):Checking IPSec proposal 1
*Apr 9 07:24:48.737: ISAKMP: (1090):transform 1, ESP_AES
*Apr 9 07:24:48.737: ISAKMP: (1090): attributes in transform:
*Apr 9 07:24:48.737: ISAKMP: (1090): encaps is 4 (Transport-UDP)
*Apr 9 07:24:48.737: ISAKMP: (1090): key length is 128
*Apr 9 07:24:48.737: ISAKMP: (1090): authenticator is HMAC-SHA
*Apr 9 07:24:48.737: ISAKMP: (1090): SA life type in seconds
*Apr 9 07:24:48.737: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
*Apr 9 07:24:48.737: ISAKMP: (1090): SA life type in kilobytes
*Apr 9 07:24:48.737: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90
*Apr 9 07:24:48.737: ISAKMP: (1090):atts are acceptable.
*Apr 9 07:24:48.737: IPSEC(validate_proposal_request): proposal part #1
*Apr 9 07:24:48.737: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 5.5.5.5:0, remote= 2.2.2.2:0,
local_proxy= 5.5.5.5/255.255.255.255/17/1701,
remote_proxy= 2.2.2.2/255.255.255.255/17/1701,
protocol= ESP, transform= esp-aes esp-sha-hmac (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Apr 9 07:24:48.737: (ipsec_process_proposal)Map Accepted: CRYPTO_MAP_REMOTE_USERS, 10
*Apr 9 07:24:48.737: ISAKMP: (1090):processing NONCE payload. message ID = 1
*Apr 9 07:24:48.737: ISAKMP: (1090):processing ID payload. message ID = 1
*Apr 9 07:24:48.737: ISAKMP: (1090):processing ID payload. message ID = 1
*Apr 9 07:24:48.737: ISAKMP: (1090):received payload type 21
*Apr 9 07:24:48.737: ISAKMP: (1090):received payload type 21
*Apr 9 07:24:48.737: ISAKMP: (1090):QM Responder gets spi
*Apr 9 07:24:48.737: ISAKMP: (1090):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Apr 9 07:24:48.737: ISAKMP: (1090):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
*Apr 9 07:24:48.737: ISAKMP: (1090):Node 1, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*Apr 9 07:24:48.737: ISAKMP: (1090):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT
*Apr 9 07:24:48.737: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Apr 9 07:24:48.737: IPSEC(crypto_ipsec_create_ipsec_sas): Map found CRYPTO_MAP_REMOTE_USERS, 10
*Apr 9 07:24:48.737: IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 11B177E0
*Apr 9 07:24:48.737: IPSEC(create_sa): sa created,
(sa) sa_dest= 5.5.5.5, sa_proto= 50,
sa_spi= 0x23DB241A(601564186),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2167
sa_lifetime(k/sec)= (250000/3600),
(identity) local= 5.5.5.5:0, remote= 2.2.2.2:0,
local_proxy= 5.5.5.5/255.255.255.255/17/1701,
remote_proxy= 2.2.2.2/255.255.255.255/17/4500
*Apr 9 07:24:48.737: IPSEC(create_sa): sa created,
(sa) sa_dest= 2.2.2.2, sa_proto= 50,
sa_spi= 0x5BC75391(1539789713),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2168
sa_lifetime(k/sec)= (250000/3600),
(identity) local= 5.5.5.5:0, remote= 2.2.2.2:0,
local_proxy= 5.5.5.5/255.255.255.255/17/1701,
remote_proxy= 2.2.2.2/255.255.255.255/17/4500
*Apr 9 07:24:48.737: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
*Apr 9 07:24:48.737: IPSEC(rte_mgr): VPN Route Event Install new outbound sa: Static keyword or dynamic SA create for 2.2.2.2
*Apr 9 07:24:48.737: ISAKMP: (1090):Received IPSec Install callback... proceeding with the negotiation
*Apr 9 07:24:48.737: ISAKMP: (1090):Successfully installed IPSEC SA (SPI:0x23DB241A) on GigabitEthernet5
*Apr 9 07:24:48.737: ISAKMP-PAK: (1090):sending packet to 2.2.2.2 my_port 4500 peer_port 4500 (R) QM_IDLE
*Apr 9 07:24:48.737: ISAKMP: (1090):Sending an IKE IPv4 Packet.
*Apr 9 07:24:48.737: ISAKMP: (1090):Node 1, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
*Apr 9 07:24:48.737: ISAKMP: (1090):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2
*Apr 9 07:24:48.757: ISAKMP-PAK: (1090):received packet from 2.2.2.2 dport 4500 sport 4500 Global (R) QM_IDLE
*Apr 9 07:24:48.757: ISAKMP: (1090):deleting node 1 error FALSE reason "QM done (await)"
*Apr 9 07:24:48.757: ISAKMP: (1090):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Apr 9 07:24:48.757: ISAKMP: (1090):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
*Apr 9 07:24:48.757: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Apr 9 07:24:48.757: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Apr 9 07:24:48.759: IPSEC: Expand action denied, notify RP
*Apr 9 07:24:53.925: ISAKMP-PAK: (1090):received packet from 2.2.2.2 dport 4500 sport 4500 Global (R) QM_IDLE
*Apr 9 07:24:53.925: ISAKMP: (1090):set new node 1444909779 to QM_IDLE
*Apr 9 07:24:53.925: ISAKMP: (1090):processing HASH payload. message ID = 1444909779
*Apr 9 07:24:53.925: ISAKMP: (1090):processing DELETE payload. message ID = 1444909779
*Apr 9 07:24:53.925: ISAKMP: (1090):peer does not do paranoid keepalives.
*Apr 9 07:24:53.925: ISAKMP: (1090):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0x5BC75391)
*Apr 9 07:24:53.925: ISAKMP: (1090):deleting node 1444909779 error FALSE reason "Informational (in) state 1"
*Apr 9 07:24:53.925: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Apr 9 07:24:53.925: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 5502
*Apr 9 07:24:53.925: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Apr 9 07:24:53.925: IPSEC: still in use sa: 0x135D01F8
*Apr 9 07:24:53.925: IPSEC(key_engine_delete_sas): delete SA with spi 0x5BC75391 proto 50 for 2.2.2.2
*Apr 9 07:24:53.925: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 5.5.5.5, sa_proto= 50,
sa_spi= 0x23DB241A(601564186),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2167
sa_lifetime(k/sec)= (250000/3600),
(identity) local= 5.5.5.5:0, remote= 2.2.2.2:0,
local_proxy= 5.5.5.5/255.255.255.255/17/1701,
remote_proxy= 2.2.2.2/255.255.255.255/17/4500
*Apr 9 07:24:53.925: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 2.2.2.2, sa_proto= 50,
sa_spi= 0x5BC75391(1539789713),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2168
sa_lifetime(k/sec)= (250000/3600),
(identity) local= 5.5.5.5:0, remote= 2.2.2.2:0,
local_proxy= 5.5.5.5/255.255.255.255/17/1701,
remote_proxy= 2.2.2.2/255.255.255.255/17/4500
*Apr 9 07:24:53.925: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
*Apr 9 07:24:53.925: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
*Apr 9 07:24:53.925: ISAKMP-PAK: (1090):received packet from 2.2.2.2 dport 4500 sport 4500 Global (R) QM_IDLE
*Apr 9 07:24:53.925: ISAKMP: (1090):set new node -159405345 to QM_IDLE
*Apr 9 07:24:53.925: ISAKMP: (1090):processing HASH payload. message ID = 4135561951
*Apr 9 07:24:53.925: ISAKMP: (1090):processing DELETE payload. message ID = 4135561951
*Apr 9 07:24:53.925: ISAKMP: (1090):peer does not do paranoid keepalives.
*Apr 9 07:24:53.925: ISAKMP: (1090):deleting SA reason "No reason" state (R) QM_IDLE (peer 2.2.2.2)
*Apr 9 07:24:53.925: ISAKMP: (1090):deleting node -159405345 error FALSE reason "Informational (in) state 1"
*Apr 9 07:24:53.925: ISAKMP: (1090):set new node 829896282 to QM_IDLE
*Apr 9 07:24:53.925: ISAKMP-PAK: (1090):sending packet to 2.2.2.2 my_port 4500 peer_port 4500 (R) QM_IDLE
*Apr 9 07:24:53.925: ISAKMP: (1090):Sending an IKE IPv4 Packet.
*Apr 9 07:24:53.925: ISAKMP: (1090):purging node 829896282
*Apr 9 07:24:53.925: ISAKMP: (1090):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Apr 9 07:24:53.925: ISAKMP: (1090):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Apr 9 07:24:53.925: ISAKMP: (1090):deleting SA reason "No reason" state (R) QM_IDLE (peer 2.2.2.2)
*Apr 9 07:24:53.925: ISAKMP: (0):Unlocking peer struct 0x141FF2D8 for isadb_mark_sa_deleted(), count 0
*Apr 9 07:24:53.925: ISAKMP: (1090):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 9 07:24:53.925: ISAKMP: (1090):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Apr 9 07:24:53.925: IPSEC(ident_delete_notify_kmi): Failed to send KEY_ENG_DELETE_SAS
*Apr 9 07:24:53.925: IPSEC(ident_update_final_flow_stats): Collect Final Stats and update MIB
IPSEC get IKMP peer index from peer 0x11B177E0 ikmp handle 0x80000066
IPSEC IKMP peer index 0
[ident_update_final_flow_stats] : Flow delete complete event received for flow id 0x340000A7,peer index 0
*Apr 9 07:24:53.925: ISAKMP: (0):Deleting peer node by peer_reap for 2.2.2.2: 141FF2D8
*Apr 9 07:24:53.925: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Вариант для распечатки
